https://pulumi.com logo
g

gray-lawyer-89054

07/11/2019, 12:57 PM
Hi all, what is the best practice to handle secrets generated in pulumi for ephemeral env? For ex. I want to create new instance of mssql server on Azure with admin password in pulumi. One way which comes to my mind is to handle it with Azure Key Vault to not loose this password but maybe there is better approach which works natively with pulumi. Thanks
b

better-rainbow-14549

07/11/2019, 1:47 PM
you can use an encrypted pulumi secret
our approach is use pulumi.random to generate the password, and put it in a keyvault
also you might want to use an azure ad group instead of a single user as the admin
so that you can add yourslef to it and log in for troubleshooting
g

gray-lawyer-89054

07/11/2019, 2:32 PM
ok thanks, I also thought about AD it, but in my case it look as too big overhead. What do you mean by
encrypted pulumi secret
is there any api to add entries to Pulumi.stack.yaml? or generating passwords outside of pulumi and pass to it on
pulumi up
with --secret?
b

better-rainbow-14549

07/11/2019, 2:32 PM
yeah you can do pulumi config to set a secret
and it will make an entry you can retrieve as normal
but it will be encrypted in the yaml
g

gray-lawyer-89054

07/11/2019, 2:36 PM
sorry, you mean to do it with
pulumi config set
command right?
b

better-rainbow-14549

07/11/2019, 2:36 PM
yeah
g

gray-lawyer-89054

07/11/2019, 2:37 PM
ah ok thanks
b

better-rainbow-14549

07/11/2019, 2:37 PM
iirc its --secret
g

gray-lawyer-89054

07/11/2019, 2:37 PM
👍
b

big-piano-35669

07/11/2019, 3:17 PM
If you want to ceate the secret programmatically, you can use the
pulumi.secret(v)
function and it'll be encrypted in the state file, just like the CLI does. This combines nicely with what Oliver suggested, eg generating it with the random package.
g

gray-lawyer-89054

07/12/2019, 9:55 AM
yes, right. it looks like simplest option, thanks